Docker secrets docs, presence in running container

Hello render,

I have a staging app, with a secret file .env in it’s env tab.
It has a dockerfile with a stanza like in

RUN --mount=type=secret,id=_env,dst=/etc/secrets/.env source /etc/secrets/.env && do_stuff

I have two problems with it:

a) The secret file is actually present in my running container…

From http shell:

/app $ ls -laF /etc/secrets
total 4
drwxrwxrwt    3 root     root           100 Feb  3 15:45 ./
drwxr-xr-x    1 root     root          4096 Feb  3 15:45 ../
drwxr-xr-x    2 root     root            60 Feb  3 15:45 ..2022_02_03_15_45_32.762024175/
lrwxrwxrwx    1 root     root            31 Feb  3 15:45 -> ..2022_02_03_15_45_32.762024175/
lrwxrwxrwx    1 root     root            11 Feb  3 15:45 .env ->

b) The doc is confusing

Then, add --mount=type=secret,id=FILENAME,dst=/etc/secrets/FILENAME to your run RUN instructions, replacing FILENAME with the name of your secret file. If your filename contains non-alphanumeric characters, replace them with _ for the id= part.

If the file is actually present in container then we can just remove the --mount option and not pretend it is not there…

What I think is

Given I have .env file in docker build context

And I have in my dockerfile

RUN --mount=type=secret,id=.env dostuff


docker build --secret id=.env .

will make /run/secrets/.env available to dostuff command.

Why is there an _ hack?
Why is there an dst=/etc/secrets/.env option?

Did I miss something?